I am a forensic examiner attempting to take a physical acquisition image of an iPhone 3GS with the firmware 3.1.2 installed. I have successfully jailbroken the phone and installed sshd. I need to take a physical disk image of the user data partition.

I have, however, noticed that I am able to copy the /character devices/ without any problems. So, what does it take to get `dd' to copy a block device? On linux and unix it will do this without any issues. I tried to compile my own dd for the target arch, but at the end of the day it just says "killed". My guess is some sort of unsigned binary problem or something.

I really just need to be able to use dd against the block devices so I can take the image and get it over with. Thanks in advance.

I'm having trouble with a "Resource Busy" error when using dd and hope to find a solution. Let me know if you get it working.

Clof

Try using the device "/dev/rdisk0s2".

The following command string worked for me:

dd if=/dev/disk0s2 conv=sync,noerror bs=4k

This command dumped an entire copy of the 16GB of flash memory in my iPhone 3G (firmware 3.1.3) to a "dd" image (via netcat) which I simply renamed with a ".dmg" extension, and was able to mount on my mac and view all of the files. Look underneath the "/mobile/Library" folder for the user's data.